Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

So, my query is, how can I combine both these queries such that if cloudname=test1 then, the first lookup (lookup_test1) is called else, if cloudname=test2 then the second lookup (lookup_test2) is called

1 Answer

Since the searches are all inputlookups, we don't have to worry about the expense of the search.

Therefore, we can just add a filter before each of the joins that will kill the records from the other cloud, and then append the two searches together. This assumes the search will be in a panel and there is a token named mycloudtoken that contains either "test1" or "test2"